Skip to content

[zeek] Generate processor tags and normalize error handler #15721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+2,622 −208
Open

[zeek] Generate processor tags and normalize error handler #15721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6808cee
[zeek] Generate processor tags and normalize error handler
taylor-swanson Oct 22, 2025
df07909
changelog
taylor-swanson Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/zeek/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "3.0.3"
changes:
- description: Generate processor tags and normalize error handler.
type: enhancement
link: https://github.com/elastic/integrations/pull/15721
- version: "3.0.2"
changes:
- description: Remove unused agent files.
Expand Down
18 changes: 17 additions & 1 deletion packages/zeek/data_stream/capture_loss/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,45 +2,57 @@
description: Pipeline for normalizing Zeek capture_loss.log
processors:
- rename:
tag: rename_message_to_event_original_56a77271
field: message
target_field: event.original
ignore_missing: true
if: ctx.event?.original == null
- json:
tag: json_event_original_to__temp__7408cf8c
field: event.original
target_field: _temp_
- pipeline:
tag: pipeline_c69a6660
if: ctx?._temp_?.result != null
name: '{{ IngestPipeline "third-party" }}'
- drop:
tag: drop_c70c3de1
description: Drop if no timestamp (invalid json)
if: 'ctx?._temp_?.ts == null'
- rename:
tag: rename__temp__to_zeek_capture_loss_62ef1b3a
target_field: zeek.capture_loss
field: _temp_
# Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
- set:
tag: set_event_created_e3f09e3b
field: event.created
copy_from: "@timestamp"
- set:
tag: set_ecs_version_f5923549
field: ecs.version
value: '8.17.0'
- date:
tag: date_zeek_capture_loss_ts_aa14509f
field: zeek.capture_loss.ts
formats:
- UNIX
- ISO8601
- set:
tag: set_event_kind_495d69f0
field: event.kind
value: metric
- set:
tag: set_event_type_ec95f7f2
field: event.type
value: [info]
- convert:
tag: convert_zeek_percent_lost_b0ba2ad8
field: zeek.percent_lost
type: long
ignore_missing: true
- remove:
tag: remove_73e0896e
field:
- zeek.capture_loss.ts
ignore_missing: true
Expand All @@ -50,4 +62,8 @@ on_failure:
value: pipeline_error
- append:
field: error.message
value: '{{{ _ingest.on_failure_message }}}'
value: >-
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
failed with message '{{{ _ingest.on_failure_message }}}'
14 changes: 10 additions & 4 deletions packages/zeek/data_stream/capture_loss/elasticsearch/ingest_pipeline/third-party.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
description: Pipeline for parsing Zeek logs from third party api
processors:
- fingerprint:
tag: fingerprint_8e6b679f
fields:
- _temp_.result._cd
- _temp_.result._indextime
Expand All @@ -12,21 +13,26 @@ processors:
target_field: '_id'
ignore_missing: true
- set:
tag: set_event_original_5bbfe67e
field: event.original
copy_from: _temp_.result._raw
ignore_empty_value: true
- set:
tag: set_host_name_d99bf8df
field: host.name
copy_from: _temp_.result.host
ignore_empty_value: true
- set:
tag: set_log_file_path_76cd6132
copy_from: _temp_.result.source
field: log.file.path
ignore_empty_value: true
- remove:
tag: remove__temp__fc21405e
field: _temp_
ignore_missing: true
- json:
tag: json_event_original_to__temp__7408cf8c
field: event.original
target_field: _temp_
on_failure:
Expand All @@ -36,7 +42,7 @@ on_failure:
- append:
field: error.message
value: >-
error in third party api pipeline:
error in [{{{_ingest.on_failure_processor_type}}}] processor{{{#_ingest.on_failure_processor_tag}}}
with tag [{{{_ingest.on_failure_processor_tag }}}]{{{/_ingest.on_failure_processor_tag}}}
{{{ _ingest.on_failure_message }}}
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
failed with message '{{{ _ingest.on_failure_message }}}'
1 change: 0 additions & 1 deletion packages/zeek/data_stream/capture_loss/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,3 @@ streams:
template_path: log.yml.hbs
title: Zeek capture_loss.log
description: Collect Zeek capture_loss logs

Loading